<pedantry but technically critical pedantry> [ and 06:00 here so i am probably also making critical errors ]
I don't think rr.arin.net and RPKI have anything to do with each other. I think the direction the RPKI should/is taking is to have the RIR sign a ROA to the ORG that they allocate the address space to...
s/ROA/resource certificate/
Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the ORG that they assign address space to.
idem it is only when you get down to someone who has [a piece of] that allocation they wish to announce into bgp that they acually cause a ROA to be issued which may be validated using the cert chain.
The parts of the puzzle here that ARIN (or really any RIR) is responsible for are the 'signing roas to allocatees' (the "up/down protocol" as it's referred to in the drafts
s/roas/certificates/
I believe the 'up/down protocol' part here is critical, the "web server" part ... I'm not sure is so critical, maybe a third party makes that happen outside of the ARIN management chain?
this is easily done with the rpki, up/down, publication, ... architecture.
Using someone not yourself (ARIN or another third party) to manage your ROA data means you probably have (in the most simple case) given the ability to that third party to sign objects for you, that means they have your private key(s) and can break you by mistake/malfeasance/oversight/etc. For this reason some folks may be ok with using a third party, many will choose to hold their fate in their own hands.
exactly. but only if the parent runs the up/down ('provisioning') protocol, does the child have that choice. randy